Monitoring Replication

Replication, and therefore the distribution of changes in Active Directory, is one of the directory service's most important functions and is especially true for infrastructures whose sites and domain controllers provide services, although they are physically remote from each other. Unfortunately, inconsistencies in synchronization can cause very unpleasant glitches, with a wide variety of causes. The network, domain name system (DNS), or even policies can sometimes interfere. NetTools comes with a number of features in the AD Replication section that can help shed a light on this problem.

The monitoring functions range from health checks for a site to analyzing replication at the attribute level. The Attribute Replication function (Figure 2) lets you look into the details. To do this, you need to specify the distinguished name (DN) of the object to be examined. A detail window then shows the attributes of the object, along with a list of domain controllers in the left-hand section. After you decide which of the DCs need to take part in the comparison, pressing Compare displays the attribute content for each DC.

Figure 2: Help with troubleshooting: Attribute Replication checks whether identical object information exists on several DCs.

The AD Replication | Domain Changes option is somewhat simpler, but just as helpful. After specifying a domain controller, replication information is returned if a change has occurred. If you want to know how long it takes for changes in a partition to replicate, Replication Latency is the right place to look. To begin, you need to specify the DN of an object; it is then created and deleted again. Both write processes can be monitored in terms of time. In this way, comparisons can be made and any weak points in regional network connections can be located.

Depending on the application scenario, you can use the tool that best suits each case. The current 1.31 version of the toolbox contains 10 functions that offer versatile views of replication, which is all the more valuable because the on-board tools have little to offer in this regard.

LDAP Directory Without the Frills

NetTools enables versatile access to LDAP directories with various LDAP functions. The focus is on Active Directory, but you are not restricted to AD as long as the directory you want to access follows the LDAP API standard. An LDAP browser delivers directory information in the form of raw data, unlike the Active Directory admin tools that prettify data here and there and validate user input before making changes. For example, the LDAP Search function integrated into NetTools supports SSL-based access, and even write access is possible without leaving the client.

An admin does not need any knowledge of LDAP syntax. The query criteria are created in the GUI with the use of drop-down lists (Figure 3). More than 280 predefined LDAP queries are found under Favorites , which is very useful. Besides illustrative material, you'll find a number of useful tools for practical admin work.

Figure 3: Like the cockpit of an airplane, the LDAP client comes with a plethora of settings.

Most administrators will be really excited to see the catalog of LDAP queries. Do you need a list of groups without members? Do you want to know which GPOs were modified in the last 10 days? Predefined queries bring this information and far more to light. New queries are quite easy to create by editing existing queries and then adding the modified versions to the catalog. The ability to import and export LDAP statements via the clipboard rounds off the feature set, leaving virtually no wishes unfulfilled. The option to write the output to files means that you are not restricted to the GUI in the tool but can process the info downstream (e.g., in Excel).

Advanced View 2.0

Like the standard Users and Computers console (dsa.msc), you can also use the various NetTools functions to display object properties. You are probably aware of the advanced display variant in dsa.msc if you enable the Advanced Features in the View menu. The Properties dialog for a user account still provides the basic info in this case, but you can also display other content such as the object attributes.

Much more awaits you in NetTools. The information is integrated in the Properties dialog and varies as a function of the type of object you are viewing. For a user account, for example, you also have the option of displaying the last password change date, the Fine Grain Password Policy if applicable to the user, or which domain controller the user logged in with and how often they did so. This information can help narrow down individual issues.